Click to skip the navigation bar
Search
Search Menu

Security Advisory: Multiple OS Command Injection Vulnerabilities in TP-Link TL-WR940N (CVE-2026-11409 to CVE-2026-11410)

Security Advisory
Last updated: June 16, 2026

Description of Vulnerabilities and Impacts:

Multiple authenticated OS command injection vulnerabilities have been identified in TL-WR940N v6. These vulnerabilities affect specific WAN configuration modules due to insufficient input validation of user-supplied parameters.

Successful exploitation requires authenticated access to the web management interface and may allow execution of arbitrary system commands with elevated privileges, access sensitive information, modify system configuration, and disrupt device availability. These impacts may affect the confidentiality, integrity, and availability of the device.

CVE-2026-11409: OS Command Injection in IPv6 PPPoE Configuration

An authenticated OS command injection vulnerability exists in the IPv6 PPPoE configuration handler due to improper sanitization of user-supplied input. This input may be incorporated into system command execution.

CVE-2026-11410: OS Command Injection in BigPond Cable (BPA) Configuration

An authenticated OS command injection vulnerability exists in the BigPond Cable (BPA) WAN configuration module, where certain parameters are not properly sanitized before being used in system command construction.

The above CVEs share the same severity rating

CVSS v4.0 Score: 8.5/ High

CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Products/Versions and Fixes:

Affected Product

Hardware Version

Fixed Version

TL-WR940N

V6

V6_260528

Important Information:

This device has reached end-of-life (EOL); therefore, please review the ‘Recommendation(s)’ section carefully.

Recommendations:

We strongly recommend that users with affected devices take the following actions:

  1. Follow the instructions to update to the latest firmware version to fix the vulnerabilities:

US: Download for TL-WR940N | TP-Link

EN: Download for TL-WR940N | TP-Link

  1. Upgrade the device to one of our supported models to be able to receive automatic updates for ongoing protection.
  2. Limit administrative access: restrict access to the web management interface to trusted networks only.

Disclaimer:

This advisory is provided for informational purposes only and is subject to change without notice. The information is provided “as is” without warranties of any kind. TP-Link recommends that customers promptly apply available firmware updates or implement documented workarounds as provided in this advisory. Devices/systems that are not updated or mitigated as described may remain vulnerable, and TP-Link disclaims any responsibility or liability for any damages or losses arising from a failure to implement such updates.

Related FAQs

Looking For More

Is this faq useful?

Your feedback helps improve this site.

Community

TP-Link Community

Still need help? Search for answers, ask questions, and get help from TP-Link experts and other users around the world.

Visit the Community >

As explained further in our website Privacy Policy, we allow certain advertising partners to collect information from our website through cookies and similar technologies to deliver ads which are more relevant to you, and assist us with advertising-related analytics (e.g., measuring ad performance, optimizing our ad campaigns). This may be considered "selling" or "sharing"/disclosure of personal data for "targeted advertising" as defined by certain U.S. state laws. To opt out of these activities, press "Opt Out" below. If the toggle below for "Targeted Advertising and 'Sale' Cookies" is to the left, you are already opted out and you can close these preferences.

Please note that your choice will apply only to your current device/browser. You must indicate your choice on each device and browser you use to access our website. If you clear your cookies or your browser is set to do so, you must opt out again.

Your Privacy Choices

As explained further in our website Privacy Policy, we allow certain advertising partners to collect information from our website through cookies and similar technologies to deliver ads which are more relevant to you, and assist us with advertising-related analytics (e.g., measuring ad performance, optimizing our ad campaigns). This may be considered "selling" or "sharing"/disclosure of personal data for "targeted advertising" as defined by certain U.S. state laws. To opt out of these activities, press "Opt Out" below. If the toggle below for "Targeted Advertising and 'Sale' Cookies" is to the left, you are already opted out and you can close these preferences.

Please note that your choice will apply only to your current device/browser. You must indicate your choice on each device and browser you use to access our website. If you clear your cookies or your browser is set to do so, you must opt out again.

These cookies are necessary for the website to function and cannot be switched off.

These cookies allow targeted ads or the "sale" of personal data (toggle to the left to opt out).

Analytics cookies enable us to analyze your activities on our and other websites in order to improve and adapt the functionality of our website and our ad campaigns.

Advertising cookies can be set through our website by our advertising partners in order to create a profile of your interests and to show you relevant advertisements on other websites.

Welcome to Our Website! If you stay on our site, we and our third-party partners use cookies, pixels, and other tracking technologies to better understand how you use our site, provide and improve our services, and personalize your experience and ads based on your interests. Learn more in your privacy choices.